AC/DC 'Thunderstruck' worm and the rise of infrastructure attacks

By Kevin McCaney

Jul 27, 2012

Industrial control systems are increasingly the targets of cyberattacks, both domestically and overseas, as a spate of recent events demonstrates.

Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, recently said the number of cyberattacks on U.S. infrastructure increased 17-fold between 2009 and 2011, the New York Times reported.

Alexander, speaking at the Aspen Security Forum in Colorado, attributed the attacks to organized crime, hackers and other nations. He didn’t go into details on the attacks, the Times reported, but his admission underscores the extent to which critical infrastructure — such as water, power and nuclear plants — are becoming a cyber battlefield.

Iran’s nuclear program, for instance, may have been hit with another disruptive virus, one that, in addition to shutting down networks at two plants, also blared the AC/DC song “Thunderstruck,” according to an e-mail received by the security company F-Secure.

Security researcher Mikko Hypponen wrote in a blog post that he received an e-mail from a scientist at the Atomic Energy Organization of Iran (AEOI) saying that hackers had gained access to the organization’s virtual private network and distributed the virus to two facilities.

“I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom,” the scientist wrote in the e-mail.

“The automation network and Siemens hardware were attacked and shut down,” said the scientist, who admitted knowing little about cyber issues.

Hypponen said he couldn’t confirm the attack, but could confirm that the e-mail came from within AEOI.

Natanz was the prime target of the Stuxnet worm, which attacked Siemens programmable logic controllers used in centrifuges and disrupted Iran’s uranium enrichment in 2010. Stuxnet and at least one other significant piece of malware, the Flame spyware, have been attributed to a U.S./Israeli cyber war program.

F-Secure’s report coincides with an advisory from the Homeland Security Department’s industrial control security team about a Siemens vulnerability that could affect operations in the energy, water and chemical sectors, among other industries.

The advisory from the U.S. Industrial Control Systems Cyber Emergency Response Team said that Siemens had released an update to fix the “hijacking vulnerability.” If left unpatched, attackers could override a system’s Dynamic Link Library and insert malicious code into industrial control systems.

Hypponen, however, told NextGov he was “quite sure” the two incidents were unrelated.

Another apparently unrelated incident — other than it concerns Iran and, tangentially, the United States — is the sudden return of the Mahdi malware, which apparently was created in Iran for the purpose of spying on Iranian citizens. The malware’s command and control servers were shut down last week, but Kasperky Labs reported the malware showed up again July 25, with new features.

Among its new features, Mahdi searches for people visiting Web pages that have “USA” and “gov” in their titles, then takes screenshots of the pages and uploads them to its command and control server, according to a blog post by Kasperky researcher Nicolas Brulez.

Mahdi has been described as a sort of poor man's Flame, which security experts say was used to gather information for Stuxnet's attacks.